Re: IP address Information available with DHCP snooping? from Sadiq Yakasai on 2013-03-13 (Ccielab archives 03/2013)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Wed, 13 Mar 2013 10:56:15 +0000

Dietrich,

One potential security issue with your approach is how would you
differentiate legitimate host versus an adversary? Since you are depending
on the host being initially denied access and using information from that
denial to allow them back in.

A better approach would be to use the ISE and in particular, Device
Profiling feature - you would have alot more criteria for device
classification that allows more confidence in seperating legitimate vs
unallowed endpoints. But even with Device Profiling on the ISE, you really
want an additional mechanism for authentication to achieve greater level of
access-control security.

Sadiq

On Tue, Mar 12, 2013 at 10:25 PM, Haywood, Dietrich
<dhaywood_at_qualcomm.com>wrote:

> All,
>
> Had a question I wanted to bounce off the group. Let's say I have a switch
> that is a DHCP server, but also has DHCP snooping enabled. All the ports
> are untrusted. IP source guard and Dynamic ARP inspection is configured on
> all interfaces as well. In addition to that, all ports are untrusted. When
> I have hosts connected to the switch, they pull an IP address from my DHCP
> pool, and everything is fine in the world.
>
> Now, to get to what I'm "trying" to accomplish. I want to know if it is
> possible to do the following: A user with a static IP address connects to
> the switch in question. The switch takes note of the IP address and the MAC
> address configured on the static host, before denying the user on the
> network. Then, using that information, configure an EEM script to take that
> information and configure that interface with a STATIC BINDING and set the
> interface to TRUSTED. Once the host is removed, the configuration would
> revert to its previous configuration.
>
> Any chance of this? Or am I just wasting my time?
>
> Regards,
> Dietrich
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Wed Mar 13 2013 - 10:56:15 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART